Compliance. TODAY August Creative passion, collaboration, and soft skills in Compliance
|
|
- Christian Parker
- 5 years ago
- Views:
Transcription
1 Compliance TODAY August 2016 A PUBLICATION OF THE HEALTH CARE COMPLIANCE ASSOCIATION Creative passion, collaboration, and soft skills in Compliance an interview with Walter E. Johnson Director of Compliance and Ethics Kforce Government Solutions, Inc. See page When employees cry foul: OSHA s investigation of whistleblower claims Jim Vines and Stephen McCullers 32 Are you faxing your way to a HIPAA violation? Rick Brinegar 37 A legal perspective on external peer review Theresamarie Mantese and Jordan B. Segal 44 Navigating the choppy waters of medical director contracts Cameron Duncan This article, published in Compliance Today, appears here with permission from the Health Care Compliance Association. Call HCCA at with reprint requests.
2 by Jennifer Mitchell, JD, CIPP/US and Lauren Rosen, MPA, CPC Identifying and managing HIPAA risks in mobile health» Mobile health, or mhealth, is a rising use of consumer electronic technology within the healthcare industry that fosters greater transparency and convenience in healthcare delivery.» Mobile application developers, as well as organizations that use mhealth technologies, must determine whether their activities are governed by HIPAA, and if so, must determine if their organization is HIPAA-compliant.» An mhealth company may be appropriately classified as a business associate to a covered entity depending on the identity of the end user, the type of relationship between the entities, and what information is shared.» OCR guidance confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearing house, or provider.» Cybersecurity is the foundation for protection of personal data in an mhealth application. Jennifer Mitchell (jennifer.mitchell@navigant.com) is a Director with Navigant Consulting, Inc. in Los Angeles. Lauren Rosen (lauren.rosen@navigant.com) is a Senior Consultant with Navigant Consulting, Inc. in New York City. bit.ly/jennifer-mitchell Advancements in technology and improved access to health information have changed the landscape of our healthcare system over the past decade, and there can be little doubt that this trend will only accelerate in the years ahead. As a result, it is more important than ever that those who design or use newly available health technologies stay ahead of the possible privacy and data security risks associated with these advancements. The move toward consumer driven healthcare, the ease of sharing and exchanging health information, and the passing of the Affordable Care Act (ACA) have encouraged the creation of novel platforms in which healthcare is structured and available directly to patients, healthcare providers, and family members. The concept of accountable healthcare fundamentally links healthcare and wellness initiatives to positive outcomes. Indeed, even before the inception of the ACA, the Centers for Medicare & Medicaid Services (CMS) implemented the Meaningful Use program via the American Recovery and Reinvestment Act (ARRA) of This program incentivizes hospitals and physicians to adopt and use electronic health records (EHR) in meaningful ways. In addition, the program also encourages patient engagement and allows patients to be more involved in their care, including an understanding of their own health outcomes via patient portals. Mitchell What is mobile health? Rosen Mobile health, or mhealth, is a rising use of consumer electronic technology within the healthcare industry that fosters greater transparency and convenience in healthcare delivery. It enables both the patient and the provider to access mobile tools at any time, as well as providing continual care management across various devices and platforms. One of the biggest challenges mhealth faces is Compliance Today August
3 Compliance Today August 2016 how to protect privacy and secure the sensitive patient information exchanged. Although the accessibility of healthcare data creates enhanced pathways for providers and patients to communicate and potentially make more informed decisions about clinical intervention, the ease in which data is accessed is also its biggest threat. Mobile health may include a variety of mobile communication devices, such as smartphones and tablet computers, that support the practice of medicine, health, and wellness. The growing list of examples of mhealth includes: Patient monitoring devices Mobile telemedicine/telecare devices Medicine adherence monitoring Activity monitoring Smart wearables/smartphone applications (e.g., Jawbone/Fitbit) Emergency response systems Health-related mlearning or the general public, and Support for long-term or chronic conditions According to the 2014 Mobile Devices Study by the Health Information Management Systems Society (HIMSS), 500 million global smartphone users would be using a healthcare application by Almost 83% of the physicians who participated in the survey reported that they had downloaded at least one medical app. Another 33% of physicians and 75% of nurses reported that they used medical apps on smartphones daily as part of their work. About a third (35%) of the responding hospitals reported that they offered medical apps to patients in the form of patient portals, As the landscape of healthcare changed, the HIPAA rules adapted to the growing amount of information healthcare organizations collected and managed. telehealth services, and various forms of remote monitoring. 1 As the mhealth sector grows, however, the risks associated with the storage and/or transfer of sensitive health information across multiple platforms are also on the rise. Mobile application developers, as well as organizations that use mhealth technologies, must determine whether their activities are governed by HIPAA, and if so, must determine if their organization is HIPAA-compliant. HIPAA and the entities it regulates The Health Insurance Portability and Accountability Act of 1996 (HIPAA) safeguards protected health information (PHI) from being used or disclosed without a patient s consent. In addition, HIPAA imposes technical, administrative, and physical safeguard requirements for storing and transmitting electronic PHI (ephi). As the landscape of healthcare changed, the HIPAA rules adapted to the growing amount of information healthcare organizations collected and managed. By 2013, now referred to as the HIPAA Omnibus Rule, the HIPAA requirements evolved and created privacy and security requirements for contractors and subcontractors of healthcare organizations. Companies such as health plans, healthcare clearinghouses, and most healthcare providers are considered covered entities (CEs) under HIPAA, and are therefore regulated by HIPAA. Most often, covered entities are the initial gatekeeper of PHI and are likely to control the main data warehouse where PHI is stored. Many covered entities have relationships and partnerships with other organizations,
4 commonly known as business associates, such as EHR vendors, law firms, and information technology companies. These organizations may utilize and/or store some aspects of PHI or all of the PHI data elements. Business associates may also sub-contract with other vendors and relay the same PHI housed by the covered entity and the business associate. If a covered entity delegates any privacy or security function or duty to a business associate, the business associate must perform in compliance with the HIPAA Privacy and Security Rule. In fact, business associates are subject to civil and, in some cases, criminal penalties for the inappropriate disclosure of PHI. Covered entities, business associates, and all other downstream entities who adopt mhealth technologies must be cognizant of the storage and transmission of PHI across all related entities, as well as other types of sensitive consumer-generated data. mhealth businesses: Covered entities or business associates? One of the initial challenges that the mhealth industry faces is deciphering whether they are regulated under HIPAA. An mhealth company may be appropriately classified as a business associate to a covered entity depending on the identity of the end user, the type of relationship between the entities, and what information is shared. In February 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) provided much-awaited guidance to mobile application developers to answer OCR confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearinghouse, or provider. the question of the applicability of HIPAA to their operations. In addition, OCR provided a crosswalk that maps the National Institute of Standards and Technology (NIST) to the HIPAA Security Rule. OCR also designed an interactive website to assist mobile app developers and healthcare organizations with submitting questions in order to determine whether the entity is required to follow HIPAA rules and regulations. The website also provides various examples explaining circumstances under which an app developer would be regulated by HIPAA. 2 In its guidance, OCR confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearinghouse, or provider. Specifically, OCR stated that an mhealth application is a business associate if: (1) they contract with a healthcare provider or healthcare organization; (2) the device or software allows a patient to enter their PHI; and (3) the information transfers directly into the patient s EHR for purposes of care decision-making or planning. The OCR guidance suggests mobile app developers consider the following questions in order to determine if they are business associates: Are your clients covered entities or other business associates, such as hospitals, doctor s offices, clinics, pharmacies, or other healthcare providers? Do these covered entities or business associates transmit PHI to health insurance organizations or health and wellness program-related information to a health plan offered by an employer? Compliance Today August
5 Compliance Today August 2016 How will the covered entity or other business associates use the data? (e.g., an application that assists a physician with following up with patients and providing information about an office visit) Were you hired by, or are you paid for your service or product by, a covered entity? How is the data collected? Is it transferred directly to and collecting information for or on behalf of consumers, or on behalf of a provider, health plan, or healthcare clearinghouse? Conversely, according to the OCR guidance, a mobile health app that allows consumers to create, receive, maintain, or transmit information about themselves is not likely required to comply with HIPAA. In this scenario, the individual is the gatekeeper for his/her own information, and the individual has determined to transmit this health information to a third party. Here, the app developer does not have the requisite relationship with the covered entity or the business associate, as the consumer controls all the decisions regarding the transmission of PHI to the third party. Accordingly, wellness apps and other consumer-driven health-related apps not used by covered entities or business associates may not be subject to HIPAA rules and regulations. However, organizations should be aware that these companies might be subject to other regulatory bodies, such as the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA). The FTC guidelines govern similar entities as HIPAA, including: Vendors of personal health records (PHRs) or EHRs, PHR-related entities (i.e., web and mobilebased apps for health information); and among healthcare apps tested, 86% of the 71 apps had at least two critical security vulnerabilities. Third-party service providers for a vendor of PHRs or a PHR-related entity. 3 Developers should also review the FDA standards for mobile applications, some of which are classified as medical devices. The FDA defines a mobile medical application as an app that is an accessory to a regulated medical device, or transforms a medical device into a regulated medical device. 4 These requirements for FDA mobile apps continue to evolve, and the FDA encourages mobile app developers to check these regulations periodically. Importance of HIPAA breach prevention in mhealth There is no doubt that mhealth provides many conveniences and the potential for health enhancements for its users. However, the shelf life of an app may be brief, because the market is saturated and newer/improved versions of these apps develop at a rapid pace. As a result, a healthcare organization may rush to bring new and improved apps to market and may be tempted to overlook critical security measures. Indeed, a 2016 study shows that, among healthcare apps tested, 86% of the 71 apps had at least two critical security vulnerabilities. In addition, 54% of the people they surveyed believed their mobile health apps would be hacked within the next six months. Within that group, 55% were health app users and 48% were health app execs. The study also reported the application layer (i.e., binary protection) is the most vulnerable to cybersecurity risks. 5,6 HIPAA breaches are often costly and may corrode a consumer s confidence with an app and/or the organization promoting the app. Under HIPAA, PHI security breaches require
6 notification of persons whose protected information may have been compromised and can result in penalties up to $50,000 per incident. Conclusion The best defense is to have the best offense. Cybersecurity is the foundation for protection of personal data in an mhealth application. Aside from the usability and benefits mobile healthcare apps provide, protecting and securing PHI are key to an app s success. The following represent a sample of steps an mhealth app developer should take into consideration to support the security of their application and protect PHI: Follow the technical, physical, and administrative specifications from organizations such as OCR, FTC, and FDA, and keep updated on any new developments from these regulatory bodies; Investigate whether data should be encrypted at every point of data lifecycle in the application (e.g., at rest and in transit); Consider any encryption requirements for and other electronic communication; Ensure the app comes equipped with a passcode requirement to access the application; Determine whether technical safeguards such as anti-tampering or anti-counterfeiting measures need to be included in the development of the app. Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See navigant.com/licensing for a complete listing of private investigator licenses. 1. HIMSS Analytics: 3rd Annual HIMSS Analytics Mobile Survey, February 26, Available at: 2. U.S. Department of Health and Human Services, Office for Civil Rights: HIPAA Portal. Available at 3. Federal Trade Commission: Complying with the FTC s Health Breach Notification Rule. Available at: 4. Food and Drug Administration: Nonbinding Guidance on Mobile Medical Applications, February 9, Available at: 5. Arxan: 2016 State of Application Security: Top Health Care Apps in Critical Condition. Available at: 6. Arxan, 2016 State of Application Security: Infographic, Mobile Health Apps. Available at: Now Available! Compliance 101, Fourth Edition Authors Debbie Troklus and Sheryl Vacca have updated Compliance 101 with changes in federal regulations, including HIPAA, HITECH, and the Omnibus Rule as well as new insights on what it takes to build an effective compliance program. This book reviews the fundamentals in healthcare compliance, including the seven essential elements of a compliance program. It includes: Step-by-step instructions on setting up and maintaining a compliance program A chapter dedicated to HIPAA privacy and security regulations A glossary with compliance terms and definitions Sample compliance forms and policies This book is ideal for compliance professionals new to the field, compliance committee members, compliance liaisons, board members, and others who need a foundation in compliance principles. Compliance 101 FOURTH EDITION DEBBIE TROKLUS & SHERYL VACCA softcover available from HCCA: Compliance Today August
All Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationHIPAA Highlights and Impact to your Telehealth Program. Wednesday, Sept 27, 2017
HIPAA Highlights and Impact to your Telehealth Program Wednesday, Sept 27, 2017 Susan Clarke, HCISPP (ISC) 2 certified Healthcare Information Security and Privacy Practitioner. 15+ years of Healthcare
More informationIs Your Compliance Strategy Putting Your Business at Risk?
Is Your Compliance Strategy Putting Your Business at Risk? January 20, 2015 2015 NASDAQ-LISTED: EGHT Today s Speakers Michael McAlpen Exec. Dir. of Security & Compliance, 8x8, Inc. David Leach Business
More informationPULSE TAKING THE PHYSICIAN S
TAKING THE PHYSICIAN S PULSE TACKLING CYBER THREATS IN HEALTHCARE Accenture and the American Medical Association (AMA) surveyed U.S. physicians regarding their experiences and attitudes toward cybersecurity.
More informationHIPAA COMPLIANCE AND DATA PROTECTION Page 1
HIPAA COMPLIANCE AND DATA PROTECTION info@resultstechnology.com 877.435.8877 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and RESULTS Cloud
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationWHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches
More informationCritical HIPAA Privacy & Security Crossover Areas
Critical HIPAA Privacy & Security Crossover Areas Presented by HIPAA Solutions, LC Peter MacKoul, JD Senior Privacy SME Ken Hughes Senior Security SME HIPAA Solutions, LC 2016 1 Critical HIPAA Privacy
More informationIntroduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst
Introduction Angela Holzworth, RHIA, CISA, GSEC Sr. IT Infrastructure Analyst Kimberly Gray, Esq., CIPP/US Chief Privacy Officer, Global, IMS Health 1 Incorporating Privacy into the CSF: Approach and Benefits
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationHIPAA ( ) HIPAA 2017 Compliancy Group, LLC
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHIPAA 101: What All Doctors NEED To Know
HIPAA 101: What All Doctors NEED To Know 1 HIPAA Basics HIPAA: Health Insurance and Portability Accountability Act of 1996 Purpose: to protect confidential information through improved security and privacy
More informationApril 21, Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852
April 21, 2016 Division of Dockets Management (HFA-305) Food and Drug Administration 5630 Fishers Lane, Room 1061 Rockville, Maryland 20852 RE: Comments of ACT The App Association regarding the Food and
More informationInformation Governance, the Next Evolution of Privacy and Security
Information Governance, the Next Evolution of Privacy and Security Katherine Downing, MA, RHIA, CHPS, PMP Sr. Director AHIMA IG Advisors Follow me @HIPAAQueen 2017 2017 Objectives Part Part I IG Topic
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More information10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment
Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing
More informationHIPAA Compliance & Privacy What You Need to Know Now
HIPAA Email Compliance & Privacy What You Need to Know Now Introduction The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a number of requirements on the healthcare industry
More informationUpdate from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013
Update from HIMSS National Privacy & Security Lisa Gallagher, VP Technology Solutions November 14, 2013 Agenda Update on HIMSS new Technology Solutions Department HIPAA Omnibus Rules Meaningful Use 2 P&S
More informationBriefing on Report: Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA HL7 Mobile Health Workgroup
Briefing on Report: Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA HL7 Mobile Health Workgroup September 21, 2016 Devi Mehta, JD, MPH, Privacy Policy Analyst,
More informationRemote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act
Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act Are your authentication, access, and audit paradigms up to date? Table of Contents Synopsis...1
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1 Disclaimer
More informationThe HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.
The HITECH Act 5 things you can do Right Now to pave the road to compliance Beginning in 2011, HITECH Act financial incentives will create a $5,800,000 opportunity over four years for mid-size hospital
More informationHCISPP HealthCare Information Security and Privacy Practitioner
HCISPP HealthCare Information Security and Privacy Practitioner William Buddy Gillespie, HCISPP Global Academic Instructor (ISC)² Former Healthcare CIO Chair Advocacy Committee, CPAHIMSS budgill@aol.com
More informationHIPAA COMPLIANCE AND
INTRONIS MSP SOLUTIONS BY BARRACUDA HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and Intronis Cloud Backup and
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationMobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference
Mobile Technology meets HIPAA Compliance Tuesday, May 2, 2017 MT HIMSS Conference Susan Clarke, HCISPP (ISC) 2 certified Healthcare Information Security and Privacy Practitioner. 15+ years of Healthcare
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationThe simplified guide to. HIPAA compliance
The simplified guide to HIPAA compliance Introduction HIPAA, the Health Insurance Portability and Accountability Act, sets the legal requirements for protecting sensitive patient data. It s also an act
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June
More informationDeveloping Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationCERT Symposium: Cyber Security Incident Management for Health Information Exchanges
Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,
More informationTerms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.
Medical Privacy Version 2018.03.26 Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a Covered Entity
More informationHIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011
HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, 2012 Phyllis F. Granade The Granade Law Firm Atlanta, GA (678) 705 2507 pgranade@granadelaw.com www.granadelaw.com Looking
More informationHIPAA / HITECH Overview of Capabilities and Protected Health Information
HIPAA / HITECH Overview of Capabilities and Protected Health Information August 2017 Rev 1.8.9 2017 DragonFly Athletics, LLC 2017, DragonFly Athletics, LLC. or its affiliates. All rights reserved. Notices
More informationTechnology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014
Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014 Welcome! Thank you for joining us today. In today s call we ll cover the Security Assessment and next steps. If you want
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationEvaluating the Security of Your IT Network. Vulnerability Scanning & Network Map
Click to edit Master title style Evaluating the Security of Your IT Network Vulnerability Scanning & Network Map Kyle Stafford / M-CEITA 5/12/2017 1 1 Disclaimer This presentation was current at the time
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationPolicy. Policy Information. Purpose. Scope. Background
Background Congress enacted HIPAA Privacy & Security Compliance Policy Policy Information Policy Owner: (TBD Possibly HIPAA Privacy and Security Official or Executive Director of University Ethics and
More informationCore Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The
More informationMaryland Health Care Commission
Special Review Maryland Health Care Commission Security Monitoring of Patient Information Maintained by the State-Designated Health Information Exchange September 2017 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationMobile Health (mhealth) Applications in a Health Care Environment
Mobile Health (mhealth) Applications in a Health Care Environment Brandon Goulter, Facility Compliance Professional Steven Baruch, Senior Compliance Director Agenda Overview of Mobile Health Applications
More informationData Backup and Contingency Planning Procedure
HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationSecuring IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates
Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Ruby Raley, Director Healthcare Solutions Axway Agenda Topics: Using risk assessments to improve
More informationSECURITY STATE OF THE INDUSTRY
SECURITY STATE OF THE INDUSTRY An Interview with Stephen Treglia JD, HCISPP, HIPAA Compliance Officer, Investigations Section, Absolute OVERVIEW The health sector is rapidly adopting new technologies,
More informationAgenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute
Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement
More informationMobile Application Privacy Policy
Mobile Application Privacy Policy Introduction This mobile application is hosted and operated on behalf of your health plan. As such, some information collected through the mobile application may be considered
More informationa publication of the health care compliance association MARCH 2018
hcca-info.org Compliance TODAY a publication of the health care compliance association MARCH 2018 On improv and improving communication an interview with Alan Alda This article, published in Compliance
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationHIPAA and the Chiropractic Practice
Back to Chiropractic CE Seminars Welcome: This course is approved for 2 Hours of CE for Ethics & Law (HIPAA and the Chiropractic Practice) for the Chiropractic Board of Examiners for the state of California.
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationDAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT
P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT APRIL 7, 2019 David Behinfar, Chief Privacy Officer University of North Carolina Health Katherine Georger, Associate
More informationSeven gray areas of HIPAA you can t ignore
White Paper: HIPAA Gray Areas Seven gray areas of HIPAA you can t ignore This guide exists to shed some light on some of the gray areas of HIPAA (the Health Insurance Portability and Accountability Act).
More informationCompliance & HIPAA Annual Education
Compliance & HIPAA Annual Education 1 The purpose of this education is to UPDATE The purpose and of this education REFRESH is to UPDATE your and REFRESH understanding understanding of: of: Aultman s Compliance
More informationSolutions for Unified Critical Communications. Patient Care Coordination and Provider Collaboration with HIPAA Compliant Texting and Telemedicine
Solutions for Unified Critical Communications Patient Care Coordination and Provider Collaboration with HIPAA Compliant Texting and Telemedicine Agenda + The patient perspective + The challenge and benefits
More informationby Robert Hudock and Patricia Wagner April 2009 Introduction
HITECH Updates: Proposed Health Breach Notification Rule Promulgated by the FTC; HHS Releases Guidance on How to Render PHI Unusable, Unreadable, or Indecipherable by Robert Hudock and Patricia Wagner
More informationUpdate on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016
Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,
More informationGlobal Headquarters: 5 Speen Street Framingham, MA USA P F
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.935.4445 F.508.988.7881 www.idc-hi.com Agile IT for Accountable Care Success: E n d - to- End Cloud Solutions for H e a l thcare Providers
More informationAUSTRALIA Building Digital Trust with Australian Healthcare Consumers
AUSTRALIA Building Digital Trust with Australian Healthcare Consumers Accenture 2017 Consumer Survey on Healthcare Cybersecurity and Digital Trust 2 Consumers in Australia trust healthcare organisations
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationStatement of HIPAA Readiness February 2003
Statement of HIPAA Readiness February 2003 Copyright 2003 WebMD Envoy Corporation. All Rights Reserved. Rev. 02/03 Table of Contents 1 Meeting the HIPAA Challenge...1 Overview...1 WebMD Envoy HIPAA Readiness...2
More informationHIPAA For Assisted Living WALA iii
Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms...
More informationand Privacy HIPAA-Compliance Checklist
Email and Privacy HIPAA-Compliance Checklist TBHI Checklist Copyright 2017 Telebehavioral Health Institute All rights reserved. Telebehavioral Health Institute www.telehealth.org No part of this publication
More informationThe CIO s BYOD Toolbox: Top Trends for HIPAA Compliant mhealth
The CIO s BYOD Toolbox: Top Trends for HIPAA Compliant mhealth Sponsored by: CUSTOM MEDI A Executive Summary We are all connected. Look around you in any café, shop, or emergency department waiting room,
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationISAO SO Product Outline
Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing
More informationHIPAA AND SECURITY. For Healthcare Organizations
HIPAA AND EMAIL SECURITY For Healthcare Organizations Table of content Protecting patient information 03 Who is affected by HIPAA? 06 Why should healthcare 07 providers care? Email security & HIPPA 08
More informationHIPAA Security Manual
2010 HIPAA Security Manual Revised with HITECH ACT Amendments Authored by J. Kevin West, Esq. 2010 HALL, FARLEY, OBERRECHT & BLANTON, P.A. DISCLAIMER This Manual is designed to set forth general policies
More informationState of US Telemedicine Industry
State of US Telemedicine Industry Prepared for ETSI Sophia Antipolis, France 6 May 2014 Agenda Current State of Healthcare in the US Industry dynamics Adoption of telemedicine/mhealth/digital health Healthcare
More informationCloud & Managed Server Hosting for Healthcare Professionals
Cloud & Managed Server Hosting for Healthcare Professionals HIPAA AICPA SOC aicpa.org/soc4so SOC for Service Organizations Service Organizations Cloud & Managed Server Hosting for Healthcare Professionals
More informationEmerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI Web Hull Privacy, Data Protection, & Compliance Advisor
Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI 2016 Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com 1 Topics 1. mhealth Challenges & Landscape 2.
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationTopics 4/11/2016. Emerging Challenges in mhealth: Keeping Information Safe & Secure. Here s the challenge It s just the beginning of mhealth
Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI 2016 Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com 1 Topics 1. mhealth Challenges & Landscape 2.
More informationApril 2018 Page 1 of 14
April 2018 Page 1 of 14 Abstract The adoption of cloud and mobile technologies in healthcare is disrupting the services delivery models, and responsibilities and risks for involved actors. By their very
More information8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID
Billing & Reimbursement Revenue Cycle Management 8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID Billing and Reimbursement for Physician Offices, Ambulatory Surgery Centers and Hospitals Billings & Reimbursements
More informationHealthcare in the Public Cloud DIY vs. Managed Services
Business White Paper Healthcare in the Public Cloud DIY vs. Managed Services Page 2 of 9 Healthcare in the Public Cloud DIY vs. Managed Services Table of Contents Page 2 Healthcare Cloud Migration Page
More informationmhealth: Privacy Challenges in Smartphone-based Personal Health Records and a Conceptual Model for Privacy Management
mhealth: Privacy Challenges in Smartphone-based Personal Health Records and a Conceptual Model for Privacy Management ehealth Workshop 28-29 Oct 2014 Middlesex University, London, UK Edeh Esther Omegero
More informationProtecting PHI in the Cloud. Session #47, February 20, 2017 Kurt J. Long, Founder & CEO, FairWarning, Inc.
Protecting PHI in the Cloud Session #47, February 20, 2017 Kurt J. Long, Founder & CEO, FairWarning, Inc. 1 Speaker Introduction Kurt J. Long Founder & CEO FairWarning, Inc. 2 Conflict of Interest Kurt
More informationTransforming Healthcare with mhealth Solutions.
Transforming Healthcare with mhealth Solutions. Global Mobile Health Market 45% of mhealth APPs users are worried by data privacy and usage of their data By 2017... 3,4 billion people will have smartphones
More informationSecure Messaging Mobile App Privacy Policy. Privacy Policy Highlights
Secure Messaging Mobile App Privacy Policy Privacy Policy Highlights For ease of review, Everbridge provides these Privacy Policy highlights, which cover certain aspects of our Privacy Policy. Please review
More informationElements of a Swift (and Effective) Response to a HIPAA Security Breach
Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys Disclaimer The information
More informationNot Just Another Day of HIPAA
Not Just Another Day of HIPAA Presented by: Patti Klingel, PhD, CPHQ, CRM, CHC Director of Corporate Compliance & Organizational Ethics United Church Homes, Inc. Disclosure I have no vested interest in
More informationDeMystifying Data Breaches and Information Security Compliance
May 22-25, 2016 Los Angeles Convention Center Los Angeles, California DeMystifying Data Breaches and Information Security Compliance Presented by James Harrison OM32 5/25/2016 3:00 PM - 4:15 PM The handouts
More informationCYBERSECURITY IN THE POST ACUTE ARENA AGENDA
CYBERSECURITY IN THE POST ACUTE ARENA AGENDA 2 Introductions 3 Assessing Your Organization 4 Prioritizing Your Review 5 206 Benchmarks and Breaches 6 Compliance 0 & Cybersecurity 0 7 Common Threats & Vulnerabilities
More information